An AI model just found serious security

flaws in every major operating system

and web browser on Earth. One flaw was

hiding for 27 years inside one of the

most secure systems ever built.

Automated tools scanned that code 5

million times and they never caught it.

But here's where things get really

crazy. The company that built this AI

decided that it was too dangerous to

release. So instead, they gave it to 12

of the most powerful companies on the

planet. Almost all of which we can

invest in. My name is Alex and I spent 8

years as a radar engineer and AI

researcher at MIT and I've never seen AI

do anything like this. So subscribe to

the channel and let me show you what

just happened and how I'm investing in

it. Your time is valuable, so let's get

right into it. There's a piece of

software that's so foundational that it

powers almost every video you've ever

watched online including this one. It's

called FFmpeg and it had a bug. It used

two different kinds of counters that

didn't quite line up under one very

specific condition. A frame carefully

split into exactly 65,536

tiny pieces. That's 2 to the 16th power.

Those counters would collide when that

happens and when that happened, the

software could write data outside of the

memory it was allowed to touch which

opens the door for attackers to take

control of the machine running the

video. That's your PC or your smartphone

if you're the one playing that video.

But it's also the enterprise servers

that are processing it. Netflix, Apple,

YouTube. That bug was introduced in

2010. For 16 years automated testing

tools saw that same line of code. 5

million scans. Every single one missed

it and the reason is simple. Traditional

tools throw random inputs at software

and wait for it to crash. But this bug

only triggers at one specific number. A

random number tester would almost never

find it, but this AI read the code,

found the flaw, generated a custom test

for it, and confirmed the bug on its

very first try. This isn't a specialized

cybersecurity tool. It's not a model

that's trained to hunt vulnerabilities.

It's a general-purpose language model

called Claude Mythos, built by a company

called Anthropic. And here's why that

matters for investors. Anthropic didn't

set out to build a hacking tool. They

set out to build a better coding

assistant, but the model got so good at

reading code and so good at

understanding what a programmer

intended, as well as spotting the

difference between the two, that it

could find the flaws that human experts

have been missing for decades. So,

Anthropic trained Claude Mythos to be

really good at code, but as a side

effect, it got really good at securing

code as well. To understand why this is

such a huge deal for software stocks,

you need to understand how Mythos

actually finds these issues. The model

is placed in an isolated environment

with access to a specific code base. It

reads through the source files, which is

millions of lines of code, and finds the

parts most likely to be hiding serious

bugs. Then it writes and runs test

programs against that code to confirm or

disprove each potential bug. When it

finds one, it writes a formal

vulnerability report with a small

example that recreates the flaw in

practice. That's exactly what a

professional security researcher does

today. The difference is speed and

scale. A human analyst might take weeks

to audit a single block of code,

especially if it's mission-critical.

Mythos processes an entire code base in

hours, and it doesn't just find bugs, it

understands them. It reads the code the

way an engineer reads a blueprint,

understanding intent, spotting where the

code doesn't match that intent, and

reasoning about what would trigger the

failure. What's even crazier is just how

fast this happened. Cyber gym is a UC

Berkeley benchmark that throws over

1,500 real-world software bugs from

almost 200 open-source projects at

different AI models. The current Claude

model, Opus 4.6, scored a 66%.

Claude Mythos scored an 83. That's a

16-point leap in one model generation.

The difference between a D and a B on a

test. That's the jump from a case

originally finding bugs to finding bugs

in every major operating system and web

browser on Earth. That's what makes this

model so dangerous. But, it didn't stop

there. It found a 27-year-old bug in

OpenBSD, which is an operating system

that prides itself on being almost

impossible to hack. This one matters to

investors for two reasons. First, we

talk a lot about AI networking, but not

the code that makes it possible. And

second, this wasn't a single bug, it was

two bugs that chained together. The

first was a missing safety check, and

the second was a number rolling back to

zero at the wrong time. When combined,

they could purposely crash a machine

from anywhere on the internet with no

authentication required. Governments

have trusted this system to run their

firewalls since 1998.

Mythos found this bug in 2026. It also

found flaws in FreeBSD, which is how

Firefox runs JavaScript. It found over

180 different bugs in everything from

cryptography libraries to virtual

machine monitors and turned them all

into functional attacks. Previous models

found just two of these bugs. And on

Linux, which runs most of the world's

servers, Android phones, and cloud

infrastructure, it chained four separate

vulnerabilities together. On their own,

each bug looked pretty insignificant,

but combined, they let an attacker jump

from an ordinary user account to full

control of the Linux machine. Mythos is

not a proof of concept. Mythos is a

weapon, and that's why it scared the

market. But, there's something else on

the market that you need to know about,

and that's your private data. There are

hundreds of online data brokers making

big money by collecting and selling your

personal information. That's why I've

been using this video's sponsor,

DeleteMe, for over 2 years now, and I

really can't recommend them enough.

DeleteMe is a hands-free subscription

service that will remove your personal

information from those online data

brokers. They give you a quarterly

privacy report showing everything

they've done, and they reviewed over

55,000 listings for me so far. But, what

really surprised me is these data

brokers had way more than just my

private data. They had my wife's and my

entire family's, too. That's another

reason I really like DeleteMe. They have

a family plan, so we can all have more

control over our personal data. So, if

you care about your data and your

family's privacy, you can get 20% off

any plan with my code, SYMBOL20, by

going to joindeleteme.com/symbol20

or with my link in the description. And

a big thank you to DeleteMe and to you

for supporting the channel. All right,

the AI arms race is moving fast. In

2024, Google's Project Big Sleep found a

single new vulnerability in SQLite. In

2025, a DARPA competition threw 54

million lines of code at competing

systems that collectively found 18 bugs.

In April of 2026, Mythos found thousands

across every major operating system,

every major browser, and every major

code library on the planet. And it

didn't just find bugs, it built working

attacks around them. Anthropic says that

over 99% of these bugs are still

unpatched because the fixes just haven't

been deployed yet, and that should have

the market's full attention. And it did,

but probably not the way Anthropic

wanted. Two weeks before they were ready

to announce Mythos, a blog

misconfiguration leaked it to the

public, and the market was very quick to

react. Cybersecurity stocks tanked.

CrowdStrike, Palo Alto Networks,

everyone. The logic was obvious. If an

AI model can find bugs, exploits, and

vulnerabilities faster than any human,

then why do we need a

quarter-trillion-dollar cybersecurity

industry in the first place? The market

didn't see Mythos as a competitive

threat. It saw it as a meteor.

Inexpensive cybersecurity consultants

were the dinosaurs. And for a few days,

it looked like the market was right. The

question was which company would use

these capabilities first? And that's

where the next phase of this AI arms

race begins. Alex Stamos is the former

chief security officer at Facebook and

Yahoo. Today, he's the chief product

officer at Corridor, an AI security

startup. Alex put a number to the

timeline. Six months. That's how long

before small open-source models can find

bugs as well as Mythos. And once that

happens, every cybercrime syndicate,

every state-sponsored spy, and every

individual hacker on the planet gets

access to AI-powered exploit discovery.

And here's the uncomfortable truth for

this entire industry. The bottleneck was

never finding the exploits. It was never

about bug discovery. Arctic Wolf's

threat report found that 76% of actual

compromises, the real breaches, the real

data being stolen, the real ransomware

being deployed, involved one or more of

just 10 known already patchable

vulnerabilities. The flaws were already

found. The patches already existed.

Organizations just could not move fast

enough to deploy them. AI just removed

the speed limit, not for cybersecurity

companies, but for the attackers. When

every bad actor on the planet can find

bugs at AI speeds, the gap between this

bug exists and this bug was exploited

collapses from months to hours. The

entire defensive model of the

cybersecurity industry, find it, report

it, patch it, and deploy it, assumes

humans are the bottleneck on both sides

of the equation. That assumption just

broke since attackers can sit at home

and point AI models at public software

pretty much as fast as they can type

while defenders have to fix the code,

test it, get approvals, schedule

maintenance windows, and avoid breaking

their customer deployments. That means

tickets, meetings, and manual reviews.

On top of that, attackers benefit from

automation, scanning for weaknesses,

writing fishing emails, exploring attack

pads, and generating exploit code while

defenders have to slow down to make sure

they meet regulatory requirements, work

with legacy systems, check with multiple

vendors, and have compliances that they

need to uphold. You can't just let an AI

patch a problem at a bank or a hospital

and hope for the best, but you

definitely can attack them that way. And

that six-month window is actually

shrinking. IO, an independent security

research lab, tested eight smaller,

cheaper, publicly available models to

see if they could reproduce Mythos's

findings. All eight models found the

same exploits that Mythos did. One of

those models had 3.6 billion parameters

and cost 11 cents per million tokens.

For investors, that means it's not about

the model itself, it's about the systems

built around it. The targeting, the

validation, the triage, the

relationships with maintainers, but the

raw capability is spreading fast. In

fact, Palo Alto Networks' chief security

intelligence officer said open models

are only weeks or months away from

matching Mythos. Cybersecurity trainers

at the SANS Institute say that that

capability exists now for finding and

exploiting basic vulnerabilities. So, 6

months is the optimistic estimate, and

the clock started on April 7th. Now, let

me say the quiet part out loud. The AI

model finding bugs to patch is the same

AI model that's exploiting them. There's

no architectural difference. There's no

switch you flip from offense to defense.

It's the exact same capability that

makes Mythos a shield that also makes it

a sword. Anthropic's own red team said

it best. The same improvements that make

the model substantially more effective

at patching vulnerabilities also make it

substantially more effective at

exploiting them. Before going public

with Mythos, Anthropic briefed senior

officials at two agencies responsible

for defending America's digital

infrastructure. NSA analysts were

already discussing what Mythos means for

cyber operations. And as an investor,

think about what this means for the

market. Anthropic, a private company

valued at $380 billion after the second

largest venture capital raise in

history, is sitting on software exploits

for almost every major company on Earth.

Over 99% of the vulnerabilities that

Mythos found are still unpatched, which

means Anthropic is effectively deciding

what gets fixed first, how much

information to release, when, and to

who. This is not a product launch. It's

a national security threat, and the real

question is who ultimately controls this

capability. Who gets access besides

Anthropic? And what happens when open

models start finding these same exploits

all over the internet? Those aren't

questions you're going to get answers to

on an earnings call. And this is where

Anthropic made a big decision that

affects the entire stock market. They

didn't sell Mythos to the government.

They didn't license it to the highest

bidder, and they didn't open source it

to level the playing field. They formed

a defensive coalition called Project

Glass Wing, and gave early access to

some of the most powerful publicly

traded companies on the planet, Amazon,

Apple, Broadcom, Cisco, CrowdStrike,

Google, JP Morgan Chase, Microsoft,

Nvidia, Palo Alto Networks, and more

than 40 other organizations. The

cybersecurity stocks that went down on

the leak surged on the announcement.

CrowdStrike jumped over 6% in a single

session. Palo Alto rose almost 5%. The

Mythos model went from being a sword

pointed at the industry to the shield

protecting it. And now that you

understand what just happened, here's

exactly how I'm investing in it. The

biggest thing for investors to

understand is that the cybersecurity

industry is about to undergo a massive

shift from detecting and responding to

threats to predicting and preventing

them. The cybersecurity industry spent

the last two decades building tools to

catch attackers after they got in.

Glasswing is the first serious attempt

to find every flaw before the attackers

do. And the cybersecurity companies

inside this coalition are not being

disrupted by Mythos. They're being armed

with it. If it works, this will be the

single biggest shift in cybersecurity

since the invention of the firewall. And

if it doesn't, every enterprise on Earth

just entered an arms race they have no

way to win. But let's talk about who

wins from this today. The obvious

winners are the companies inside Project

Glasswing, the ones with direct access

to Mythos and the infrastructure to

deploy what it finds. CrowdStrike

focuses on endpoint detection and

response. So securing desktops, laptops,

and smartphones, really any device that

connects to a company network. Their

Falcon platform has three parts, a suite

of cloud-based modules that do things

like run virus scans, manage firewalls,

and detect malware. They have a separate

threat graph that maps out a company's

networks, the devices on it, the users,

and the permissions to make sure all the

network traffic is legit. And then their

Falcon agent is a lightweight agent that

runs on each device to send security

data back for analysis. Charlotte AI is

their AI assistant layer, and agent

works is their agentic automation

platform. Being armed with Mythos means

that CrowdStrike can use their Falcon

platform to proactively patch

vulnerabilities across their entire

customer base before attackers find

them. CrowdStrike's revenue came in at

$1.31 billion for their latest quarter,

which is up 23% year-over-year. Annual

recurring revenue came in at $5.25

billion,

which is up 24%. Net new ARR came in at

$331 million, up 47%.

And if you think you missed the boat on

CrowdStrike, they just posted their

first-ever GAAP profitable quarter, and

their gross customer retention sits at

97%.

CrowdStrike stock is not cheap. A $100

market cap means roughly 20 times

price-to-sales. But now that they're

armed with Mythos, we could see their

revenues, their profits, and their

overall growth continue to accelerate

while their competition still waits for

access. Palo Alto Networks is the other

pure-play cybersecurity company in

Project Glasswing. Their strategy is

convincing enterprises to consolidate

their security spending onto a single

platform: network security, cloud

security, access protection, and so on.

Cortex, their AI-powered security

operations platform, integrates directly

with Mythos for proactive threat

detection and response. Palo Alto's

annual recurring revenue from

next-generation security grew by 33%

year-over-year, and their guidance

implies more than 50% growth in next-gen

security for the rest of this fiscal

year. Their total annual revenue is

approaching $11 billion,

which makes Palo Alto Networks the

cheaper stock. They trade at roughly 14

times sales compared to CrowdStrike's

20, mostly because CrowdStrike is

growing significantly faster. The

hyperscalers, Microsoft, Google, and

Amazon, form the platform layer of

Anthropic's Project Glass Wing. They

host Mythos, they use it internally, and

they'll probably add it to their

server-side security offerings over

time. Microsoft alone runs the largest

cloud security business on the planet,

bringing roughly $28.5 billion a year.

These companies aren't using Mythos to

sell more cloud access. They're using it

to manage risk across the entire

infrastructure powering AI and the

internet. The best way to find great

investments is understanding a company's

products, not just their profits. And

the best companies have perfect products

for quickly growing markets. Nvidia,

Broadcom, Apple, these companies armed

with Mythos will define the next era of

digital security, while everyone else is

effectively defending against tomorrow's

attacks with yesterday's tools. And AI

is already making the global

cybersecurity market grow fast, from

$380 billion in 2026 to $1.2 trillion in

2034. That's a 15.5%

compound annual growth rate for the next

8 years, faster than the growth of the

S&P 500. And I expect it to accelerate

as more crime syndicates, more spies,

and more hackers in general start using

more advanced AI for their attacks. So,

the question for investors isn't whether

cybersecurity spending will keep

climbing. It's which companies will

capture it. That's why the ones in

Project Glass Wing are the ones that I'm

investing in. But here's the part we

can't model in our spreadsheets. Less

than 1% of the thousands of

vulnerabilities that Mythos has

discovered have actually been patched.

Less than 1%. Anthropic promised a

public report in the next 90 days.

That's July 2026. And in it, they're

going to spell out what they found,

what's been fixed, and who is still

exposed. If that report shows 10 to 20%

of the bugs have been fixed, then the

defenders really do have an edge. But if

it only shows 1% of the bugs have been

fixed and the vulnerabilities have been

closed, then the critics will be right.

Attackers will move as fast as AI, while

defenders will stay at the speed of

tickets, the speed of meetings, and

manual reviews. Remember, finding bugs

can be automated, but fixing them can't,

especially for banks, for hospitals, and

for other regulated industries. That's

why I think Palantir will play an

important role here, too. But there's

one last conflict that I'm not sure how

Anthropic will overcome, or if they even

can. Anthropic is reportedly considering

an IPO in October of 2026. That means

that the company that decided Mythos was

too dangerous to sell will also need to

justify a half-trillion-dollar valuation

to public market investors. The conflict

between cyber safety and shareholders is

very real. Anthropic's 90-day security

report will land in July. Open models

are improving every single month. The

clock is ticking, but whether

Anthropic's bet that six months of

Mythos running defense can outpace

AI-powered offense will pay off for the

companies in Project Glasswing, for

their stocks, and for the security of

every data center on the planet, that's

something the market hasn't priced in

yet. Let me know what you think in the

comments. Is Mythos a temporary edge for

the defenders, or is this AI-driven arms

race the start of a new era of

cybersecurity? And if you want to see

more science behind the stocks, check

out this video next. Either way, thanks

for watching, and until next time, this

is ticker symbol U. My name is Alex,

reminding you that the best investment

you can make is in you.